EBA consults on guidelines on ICT and security risk management

13 December 2018

These Guidelines establish requirements for credit institutions, investment firms and payment service providers (PSPs) on the mitigation and management of their information and communication technology (ICT) risks and aim to ensure a consistent and robust approach across the Single market.

Due to a growing reliance on ICT for their operational functioning, financial institutions are vulnerable to increased threats from internal and external attacks, including cyber-attacks, or breaches that may arise from inadequate business continuity planning for ICT systems and processes, or poor processes relating to ICT change management. These Guidelines aim to mitigate all ICT risks - internal or external-, including security related risks, for all financial institutions.

The Guidelines outline expectations in relation to governance, risk assessment process, information security requirements, ICT operational management, security in the change and development processes and business continuity management to mitigate ICT and security risks. Specifically for PSPs the Guidelines cover the management of their relationship with payment service users (PSUs) to ensure that the measures implemented are well communicated to them.

The Guidelines are addressed to credit institutions and investment firms as defined in the Capital Requirements Directive (CRD), for all of their activities, and to PSPs subject to the revised Payment Services Directive (PSD2), for their payment services.

Comments to this consultation can be sent to the EBA by 13 March 2019. A public hearing will take place at the EBA premises on 13 February 2019 from 14:00 to 16:00 UK time.

Press release

Guidelines


© EBA